AI Technical Documentation Under the EU AI Act
Article 11 EU AI Act: compile Annex IV technical documentation before market launch, 10-year retention under Article 18, deadline 2 December 2027.
If your organisation builds or places a high-risk AI system on the EU market, Article 11 of Regulation (EU) 2024/1689 requires you to compile technical documentation before the system goes live — and keep it current for as long as the system operates, plus ten years after. That documentation is not a formality. It is the primary evidence file that a market-surveillance authority or notified body examines when it wants to know whether your system is compliant.
This guide explains what technical documentation is, what it must contain under Annex IV, how it relates to the other documentation obligations in the Act, who has to produce it, and what the SME simplification actually allows. For a deeper look at the specific Annex IV contents and the Article 11 text itself, see the dedicated guides linked at the bottom.
What Article 11 Requires
Article 11 imposes three distinct obligations on providers of high-risk AI systems:
Draw it up before placing the system on the market. Documentation must exist before a system is made available to deployers or put into service under the provider's own name. This is not a post-launch housekeeping task.
Keep it up to date. The documentation must track the system as it evolves. A model retrained on new data, a changed intended purpose, or a new operating environment all require updates. A document that accurately described the system at launch but no longer reflects its current state fails the requirement.
Make it available to authorities. Competent authorities and notified bodies must be able to obtain and review the documentation on request. This means it must be retrievable — not buried in internal systems without an access path.
The retention obligation sits in Article 18, not Article 11 itself: documentation must be kept for ten years after the system is placed on the market or put into service. For systems withdrawn early, the ten-year clock runs from the date of withdrawal.
Who Must Produce It
Article 11 is a provider obligation. Under Article 3, a provider is any natural or legal person who develops a high-risk AI system and places it on the market or puts it into service under their own name or trademark — whether or not they sell it commercially.
Deployers — organisations that use someone else's high-risk system in a professional context — are generally not required to produce Article 11 documentation for the system they deploy. That duty stays with the provider. However, a deployer that substantially modifies a system, puts their own name on it, or changes its intended purpose becomes a provider under Article 25 and inherits the full documentation obligation.
For companies that build AI tools and sell or license them to other businesses: you are a provider. Technical documentation is yours to assemble.
What Annex IV Specifies
Annex IV sets out the required contents. The structure covers nine substantive areas:
-
General description and intended purpose — the system's name, version, what it is designed to do, the deployment context, and the population of persons affected by it.
-
Development process, design choices, and architecture — how the system was built, what design decisions were made and why, the architecture (including hardware and software dependencies), and the training methodology.
-
Data and data governance — in line with the requirements of Article 10, this covers training, validation, and testing datasets: sources, collection procedures, demographic representation, known limitations, and the measures taken to ensure data quality and relevance.
-
Validation and testing, including accuracy, robustness, and cybersecurity metrics — the test methodologies applied, the benchmarks used, and the performance results required under Article 15, disaggregated where relevant. This section must include the results of validation and testing prior to market placement.
-
Risk management system — documentation of the risk management system operated under Article 9, including identified risks, the measures taken to address them, and the results of testing those measures.
-
Human oversight — the measures designed to allow the human oversight envisaged in Article 14, including the technical means by which operators can intervene in or interrupt system output.
-
Changes and version history — records of all post-market modifications, retraining events, and updates, with dates and a description of what changed.
-
Standards and specifications applied — any harmonised standards used and, where harmonised standards are absent, the common specifications or other technical solutions applied to demonstrate conformity.
-
EU declaration of conformity — a copy of the declaration drawn up under Article 47 (and Annex V), confirming that the system meets the applicable requirements.
The Annex IV guide linked at the bottom goes through each element in detail. The point here is that documentation is not a general narrative about the system — it is a structured evidentiary record mapped directly to the Act's substantive requirements (Articles 9, 10, 14, 15).
The Deadline
High-risk AI systems that fall under Annex III (the stand-alone use-case list — recruitment, creditworthiness, biometrics, and so on) must comply with Article 11 from 2 December 2027, under the Digital Omnibus political agreement reached in May 2026, which deferred the original 2 August 2026 date.
For high-risk AI systems that are safety components of products governed by EU product-safety legislation listed in Annex I — medical devices, machinery, vehicles — the date is 2 August 2028.
The deferral creates time to prepare, not a reason to delay. Assembling the Annex IV documentation pack for a moderately complex system takes months: data-governance records have to be reconstructed, architecture decisions documented, risk management formalised, and version histories established. Starting that process in mid-2027 is optimistic for most teams.
The SME Simplification
Article 11(3) allows SMEs (and startups that meet the EU definition) to provide their technical documentation in a simplified form. The Act does not define what "simplified" means in detail; the European AI Office is expected to publish guidance. In practice, the simplification is likely to reduce the depth of certain evidence sections rather than eliminate any of the nine Annex IV areas — the required contents remain fixed, even if a small company can provide proportionate rather than exhaustive supporting evidence for each element.
If you are an SME and you intend to rely on the simplified form, document your SME status in your compliance records. The simplification is a privilege you have to qualify for, not a default available to everyone.
How Technical Documentation Relates to Other Documents
Article 11 documentation is the central compliance record, but it sits within a wider documentation ecosystem under the Act. These are related and often linked, but distinct:
Article 12 — Logging and record-keeping. Providers must ensure that high-risk systems automatically log events over their operational lifetime. Those logs are not part of the Article 11 documentation pack, but they feed the post-market monitoring record and are available to authorities separately.
Article 13 — Instructions for use. Providers must supply deployers with clear instructions explaining the system's intended purpose, performance characteristics, foreseeable misuse, and the human oversight measures available. Instructions for use often draw on sections of the Annex IV documentation but are a distinct, deployer-facing deliverable.
Article 17 — Quality management system. Providers must operate a QMS that covers, among other things, their documentation procedures. The QMS is the governance framework; the Article 11 documentation is one of the outputs it governs.
Article 47 / Annex V — EU Declaration of Conformity. Once the provider is satisfied that the system meets the requirements, they draw up this declaration. A copy of the declaration must be included in the Annex IV documentation (see point 9 above), so the declaration and the documentation are interrelated, but the declaration is a separate legal instrument.
Article 53 / Annex XI–XII — GPAI documentation. Providers of high-risk AI systems built on top of a general-purpose AI model receive technical documentation from the model provider under Article 53. That GPAI documentation can inform, but does not substitute for, the provider's own Article 11 documentation pack covering the complete system.
What Regulators Check
When a market-surveillance authority conducts an inspection under Article 74, the Article 11 documentation is the first thing it requests. The practical weaknesses that most frequently surface:
Stale documentation. The system in production does not match the documented version. A model retrained after a data quality issue, a new feature added by the development team, or an expanded deployment scope that was never reflected in the documentation — any of these create a gap between evidence and reality.
Missing data governance records. Annex IV requires documentation of training, validation, and testing data under Article 10 standards. Organisations that lack data-lineage records or cannot produce demographic breakdowns of their training sets cannot satisfy this element.
Absent risk management trace. The Article 9 risk management system must be documented as a continuous process, not a one-time assessment. If the documentation shows a risk register drawn up at launch with no subsequent entries, it suggests the process exists on paper only.
Undocumented human oversight. Article 14 requires human oversight measures to be built into the system and explained to deployers. Documentation that describes oversight in general terms without specifying the technical means of intervention and the circumstances in which it must be used will not satisfy the requirement.
How Confir Helps
Assembling the Annex IV documentation pack is the most time-intensive part of high-risk compliance. Confir generates the complete Article 11 / Annex IV technical-documentation pack from a structured intake — covering system description, development process, data governance, risk management, human oversight, and version history — using deterministic, rule-based logic that produces the same output from the same inputs every time. No drafting from scratch; no guessing which Annex IV element maps to which Article.
The pack is one output of the AITR (Data & Technical Robustness) assessment track, which maps your answers to Articles 10, 11, and 15 in sequence. Once generated, it sits alongside the Article 47 Declaration of Conformity and the Article 27 FRIA in a single print-ready compliance file, ready for authority review.
Frequently Asked Questions
What is the difference between Article 11 and Annex IV?
Article 11 is the legal obligation: providers of high-risk AI systems must compile, maintain, and make available technical documentation. Annex IV specifies the content that documentation must cover — nine areas including the system description, development process, data governance (Article 10), testing and performance metrics (Article 15), the risk management system (Article 9), and human oversight measures (Article 14). Article 11 is the duty; Annex IV is the checklist for meeting it.
How long do I have to keep technical documentation after my system is taken off the market?
Ten years from the date the system is placed on the market or put into service, under Article 18. That clock does not restart when you withdraw the system — it runs from the original market placement. The retention period is longer than many organisations expect and requires a deliberate records-management policy.
What are the penalties for failing to maintain Article 11 documentation?
Non-compliance with Article 11 falls under the mid-tier penalty in Article 99(4): fines up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For companies with turnover above €500 million, the percentage threshold will exceed the fixed amount. SMEs and startups benefit from the proportionality rule in Article 99(6), which caps their fine at the lower of the percentage or the fixed amount.
Does the SME simplification eliminate any of the Annex IV requirements?
No. Article 11(3) allows SMEs to provide documentation in a simplified form, but the nine substantive areas in Annex IV remain required. The simplification affects the depth and format of evidence, not the coverage. An SME still needs to document its data governance, risk management, and human oversight — it may be able to do so with proportionate rather than exhaustive supporting material.
When does Article 11 apply to my system?
If your system falls under the Annex III use-case list (recruitment, creditworthiness, biometrics, law enforcement, and the other four categories), the obligation applies from 2 December 2027 under the Digital Omnibus agreed in May 2026. For high-risk AI embedded in products covered by Annex I product-safety legislation, the date is 2 August 2028. The documentation must be ready before the system goes to market — not drawn up after the deadline passes.
Do deployers have to produce Article 11 documentation?
In principle, no — the obligation rests with the provider. But if a deployer substantially modifies a high-risk system, attaches their own name to it, or changes its intended purpose, they become a provider under Article 25 and the full Article 11 obligation follows. Deployers who receive a system from a provider should check that the provider's documentation package is complete; that diligence matters for deployer obligations under Article 26.
What is the relationship between Article 11 documentation and the EU Declaration of Conformity?
They are separate instruments that reference each other. The provider draws up the EU Declaration of Conformity under Article 47 (with the required contents in Annex V) to formally assert that the system meets the applicable requirements. A copy of that declaration must be included in the Annex IV documentation pack itself. The documentation is the evidentiary file; the declaration is the legal statement built on top of it.
Related guides
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →